<!DOCTYPE html>
{% autoescape true %}
<html>
    <head>
        <title>Input Sanitization</title>
        <link href='/css/base.css' rel='stylesheet' type='text/css'></link>
    </head>

    <body>
        <h1>Input Sanitization</h1>
        
        <div>One of the defense against XSS is "Input Sanitization". The following example demonstrates both the attack and solution in GAE</div>
        <ul>
            <li>User issue a XSS attack which is sent to server</li>
            <li>The input is sanitized with jinja2 striptags() </li>
            
            <div>Attack without sanitization "{{ attack }}"</div>
            <div>Attack with sanitization "{{ sanitized }}"</div>
            <br>
            
            <li>However, the attack is still not executed. why?</li>
            <li>Because output encoding (autoescape) is enabled in the template</li>
        </ul>       
        
        <a href="/">Home</a>
    </body>
</html>

{% endautoescape %}